This is an extension of #4449.
We got a request in https://www.redhat.com/archives/freeipa-users/2014-September/msg00323.html to optionally restore requesting a client cert.
The RFE is to add an option, --machine-cert (or something), which will have certmonger request a certificate and store it in a new database in /etc/ipa/nssdb.
This will require some rpm changes so ipa-client owns the database. I think the db should be ghosted initially and ipa-client-install will generate a new, password-less database on demand. Rights will be root:root mode 644
Honza had already a patch in works for this.
This requires the /etc/ipa/nssdb/ (#3259) that is included in FreeIPA 4.1.
/etc/ipa/nssdb/
Moving the RFE to 4.1.
master:
ipa-4-1:
Metadata Update from @rcritten: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.